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FEASIBILITY STUDY AND BENEFIT ANALYSIS OF 
APPLICATION VIRTUALIZATION TECHNOLOGY FOR 
DISTANCE LEARNING EDUCATION AT NAVAL 
POSTGRADUATE SCHOOL 

ABSTRACT 

The rapidly changing demands and increasing complexity in software application 
deployment have necessitated and improved approaches for delivering software 
application support and updates to non-resident students at the Naval Postgraduate 
School. The delivery of course material to non-resident students on locked-down 
computer systems, i.e., NMCI, has become more difficult with the increased security 
requirements over the past year. Many NPS course offerings require installation and 
development of various software and programs on student workstations, which is 
prohibited by policy. Moreover, the process of gaining approval and installation of the 
course software is often longer than the upgrade cycle of the material, which affects both 
resident and non-resident students’ ability to fully participate and benefit from the 
learning experience. This problem poses a challenge for the Information Technology and 
Communication Services (ITACS) department at NPS. To counter this problem, NPS 
must implement a new system wide virtual software delivery method that would: a) 
provide easy, client-less, conflict-free application deployment and rollback; b) reduce 
costs for support and regression testing by delivering fully tested applications to users; c) 
reduce infrastructure requirements and costs with no client or server components to 
manage or maintain; and, d) improve enterprise security with the power to transparently 
run applications in user-mode on locked-down PCs. 
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I. 


INTRODUCTION 


Today, more organizations are looking for new ways to reduce costs in 
technologies infrastructure, utilization efficiency, and management in order to optimize 
overall IT infrastructure. As organizations grow, information technology resources such 
as servers, data center upgrades, and computer system upgrades are often required to 
maintain a stable environment. The rising costs of these resources have driven 
organizations to seek new solutions that will decrease costs, increase efficiency, improve 
quality of service, and create a well automated dynamic environment. 

According to Microsoft an organization’s IT infrastructure can fall into one of 
four categories: Basic, Standardized, Rationalized, and Dynamic (Figure #1). The basic 
model is typically uncoordinated and requires more manual labor than any of the other 
models; while the standardized model has a more managed IT infrastructure with limited 
automation and knowledge capture (Yang, 2006). The business enabler model is 
managed and consolidated IT infrastructure with extensive automation methods (Yang, 
2006). Finally, the dynamic model is an IT infrastructure that is managed with full 
automation, dynamic resource usage (Yang, 2006). 
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Figure 1. IT Infrastructure Optimization Models (From Yang, 2006) 


As shown in Figure 1 above, the goal of an organization is to optimize its IT 
infrastructure by incrementally moving from a basic model to a dynamic model. Recent 
advances in server based computing and virtualization has enabled organizations to 
achieve this goal while reducing costs. Some of these new technological trends have 
already been utilized by federal departments such as the Department of Defense, but are 
yet to be implemented by the Naval Postgraduate School (NPS). Implementing these 
new technologies at NPS may dramatically reduce IT operational costs, and improve the 
quality of education delivery to both resident and distance learning (DL) students. 

The purpose of this MBA project is to determine the feasibility of implementing a 
dynamic solution to deliver software applications to NPS DL students through 
virtualization technologies, and to conduct a benefit analysis of its use. Currently, several 
departments at NPS are facing an application delivery dilemma. DL students are unable 
to enjoy the same application resources that are available to on-campus students. The 
reason is that most DL NPS students are part of the Navy Marine Corps Intranet (NMCI) 
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system that does not give students the ability to install the software applieations required 
for their online elasses. To that end, eollaboration with the NPS Offiee of Continuous 
Learning and several aeademie departments was established in order to gather 
information on the different types of software and their respeetive Operating System (OS) 
environments that are required by these departments. 

This professional report provides a thorough explanation of new applieation 
delivery methods through virtualization teehnologies that have been implemented by 
many organizations ineluding defense organizations. Chapter V provides an extensive 
proposal on using a new applieation delivery method provided by a eompany ealled 
Thinstall, whieh has been widely aeeepted and implemented by the Department of 
Defense and several U.S. Navy bases, ineluding a feasibility analysis for implementation 
within the NPS seeurity infrastrueture as well as NMCI eompatibility. Furthermore, the 
report provides a eomprehensive diseussion on the advantages and disadvantages of 
applieation virtualization through different applieation virtualization methods. 
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II. DESCRIPTION OF APPLICATION DEPLOYMENT 

METHODS 


There are several methods available for application access in an organization, 
including manual, imaging, electronic software distribution (BSD), server based/thin 
clients, and virtualization. The general traditional method is to install all applications 
locally on each user's machine. In a large organization setting, this is typically done 
through a desktop management system or system imaging process. The server-based 
method means that a central server houses all the applications, which are then accessed 
by terminal system/thin client users via the network. Finally, the application 
virtualization method is one of the newest methods, and one that will be discussed in 
more details in later chapters. 

A. MANUAL APPROACH 

The manual approach is the most traditional and labor intense approach to 
software installation and delivery. Manual installations require some type of media, such 
as a CD, DVD, USB drive etc., to install the application onto the client’s operating 
system. There is only one advantage to manual installation; it is easy and only requires 
an administrator to perform the installation in a locked-down system environment. 
However, there are several disadvantages to this approach. First, it is very labor intensive 
especially in large environments, therefore making it harder to perform and maintain 
software upgrades. Second, it requires extensive regression testing, which adds to the 
increased labor hours while increasing costs. Third, in the case of software version 
incompatibility, it is very difficult to roll back to the old version since it requires 
reinstallation of the old software version. Finally, it does not provide a dynamic 
application delivery environment. 

B. IMAGING APPROACH 

The concept of imaging is to build a system manually by installing all the required 
software only once and creating an image of the system to redeploy to other systems. 
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This is a commonly used method by many large organizations because it is just as easy as 
manual installation but also provides faster deployments to several machines at once. 
One of the major disadvantages is that it is hardware dependent, meaning that if the 
original image was gathered using a Dell Inspiron system then that image has to be 
transferred to another Dell Inspiron system. This approach is also very sensitive to 
corruption, especially if the deployment is done over a network connection. For example, 
if during the image deployment process there is a hiccup in the network, the whole 
deployment process could freeze and will have to be redeployed from the beginning. It 
also requires more time in regression testing and is very hard to upgrade software easily. 
Finally, as with manual installation, it doesn’t provide a dynamic application delivery 
environment. 

There are several products in the computer imaging market, such as Acronis True 
Image, Drive Image, Rollback Rx, Norton Ghost, and many others. Currently, NFS 
utilizes the system imaging solution to deploy software applications across the different 
computer systems and labs on campus. The Academics Client Services department 
(ACS) within IT ACS is in charge of providing and maintaining applications for 12 
computer labs and 47 classroom computers. Each computer lab contains from 20 to 35 
computers; therefore, manual local application installation is not an option. To make the 
process easier, ACS uses an OS imaging solution called Norton Ghost. Generally, in 
computer imaging a computer machine is used as the test PC, meaning there is a new 
windows OS install on the PC, then all the required software and settings are installed. 
Ghost Norton will then gather a snapshot of all the software, drivers, and settings of the 
image PC. This image is then saved on a network from which the image is deployed to a 
number of computers across the network. Although computer imaging sounds like a 
simple and effective solution for NFS, there are several constraints associated with it. 
Often there are software applications that are incompatible with the image gathering 
process; therefore, they are either left out or installed with major errors that require re- 
installation. Again, this requires IT personnel to review the deployed image to make sure 
that the application software was in fact deployed successfully, assess errors, or re-install 
the software, therefore increasing regression testing dramatically. This ends up being a 
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very lengthy, time consuming, and costly process. In addition, in the event of a request 
for new or updated software after the image deployment process, there is no possible 
option but to install the software manually on all the machines, meaning there is no 
available feature that will allow the IT administrator to send a software program across 
the network to the computers. 

In addition to flexibility limitations, this “push-based” method makes it 
insufficient for easy access to newly required applications. As mentioned above, any 
time an end user needs an application not currently installed, a call must be placed to the 
IT help desk before a specialist is assigned to arrange a manual installation of software 
application; therefore, it’s inefficient and costly. Moreover, this method requires support 
for hundreds or thousands of distributed systems, which leads to a loss of central IT 
control over the enterprise computing environment, especially when it comes to the 
application licensing and management which will be discussed in later chapters. 

C. ELECTRONIC SOFTWARE DESTRIBUTION (ESD) 

ESD is a popular way of software delivery in large organizational settings. It 
allows software to be pushed to a chosen specific number of computer systems at once. 
This is usually an automated process that is set from the system delivering the software. 
There are several software vendors providing this solution, such as LANDesk’s Client 
Management Suite, RES WISDOM, and many others. NFS currently uses EANDesk to 
push important security patches and critical software to NFS computer systems over the 
network, but it is not utilized to distribute software applications because of the large 
variety of operating systems at NFS 

ESD solutions facilitate asset and patch management and provides easy software 
deployment to clients over a network connection. In order to deploy patches or software 
applications, both the patches and applications have to be packaged into an MSI format, 
which is a window’s OS-specific installer file format designed for application packaging 
that is a common packaging solution but requires good packaging knowledge and skills. 

Although there are advantages to ESD, there are several disadvantages that push 

organizations away from its implementation. A major disadvantage is its complexity in 
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application packaging; also, OS compatibility limitations, long regression testing time, 
eomplex rollbacks to previous versions, and lack of a dynamic application delivery 
environment. Figure 2 below provides the lengthy application deployment proeess using 
BSD teehnologies. 


Current Deployment Process Using ESD: 



Figure 2. ESD Software Deployment Proeess (From Spruijt, 2007) 

As shown above, there are several steps required to deploy a Windows application 
using ESD. The windows software has to first be installed on a test machine, and then 
regression tests are performed to ensure that the application is working correctly. The 
software is scanned for quality assurance (QA) to verify that the application can be built 
and paekaged using ESD teehnologies. If eonfliets arise during the QA build step, then 
those eonfliets have to be resolved before the software is paekaged. Generally, after the 
software is paekaged, a seeond QA test is performed, and then the software is seheduled 
for distribution and published to the specified Windows systems on the network. 

D. SERVER BASED AND THINCLIENT APPROACH 

This is a fairly modern approach that has been implemented by many 
organizations. It is simply a type of technique that allows all the required applications to 
be housed on a central terminal server where end users can access them across the 
corporate network through desktop devices display. This approach was developed to 
reduee total cost of ownership (TCO) by using a single server to support dozens of 
applications. This allows network administrators to maintain application suites on a 
single server, making it easy to manage and maintain while allowing aceess to applieation 
suites from any device eonnected to the server without having to install the applications 
on each individual computer. It is important to note that server-based virtualization is 
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better referred to as presentation virtualization, since the applications are presented to the 
screen of the end-users device rather than being virtualized. This means that the 
applications are processed and executed at the central server rather than the client’s 
computer. Although server-based computing can run with general PC clients, generally 
“thin-clients” are used, so named because they are very simple computer devices 
designed to run applications from a central server. These devices are different from 
normal PC devices by having lower microprocessor requirements and lower memory 
requirements. However, they still provide the same PC end-user experience while 
costing considerably less than a general PC machine. Thin-clients have better security 
advantages over PCs because they lack a removable drive, which makes it impossible for 
those using them to steal electronic data on removable media or introduce viruses to the 
network (Wyse Technology, 2004). 

Power and energy consumption is another advantage to server-based thin-client 
computing. According to a study done by Wyse Technology Inc. on the power 
consumption of a PC vs. a thin-client, PCs consume twice the power used by a thin-client 
computing station. The following chart and table in figure 3 shows the power 
requirements for networks using thin client devices with monitors. 
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Power Requirements PC vs. Thin Client 




Single Unit 

100 Computers 

1000 Computers 

5000 Computers 

■ PC station 

170 

170000 

170000 

850000 

■ Thin Client 8230LE 

93 

9300 

93000 

465000 

■ Thin Client 3630LE 

24 

2400 

24000 

120000 

■ Thin Client 3200LE 

92 

9200 

92000 

460000 


Power in Watts 


Figure 3. Power Requirements PC vs. Thin Clients - Data gathered from Wyse 

Technologies (After Wyse Technology, 2004) 


E. VIRTUALIZATION 

Virtualization technology applications are becoming a very popular solution for 
most organizations that are seeking lower IT support costs for multi-site operations, 
decreasing deployment times while increasing efficiency, and increasing mobility in the 
workspace. It is the only solution that provides a dynamic working environment and 
better security features. Virtualization can be achieved in several forms. For example, an 
organization may choose to virtualize full operating system desktops to the client or only 
virtualize the applications. There are also several methods of virtualizations, such as 
streaming, executable self-contained application packaging, and web-enabled application 
virtualization. Each method uses its own unique technology process and delivers a 
variety of benefits. The variety of virtualization forms and methods have provided a 
choice dilemma for many organizations, which revolves around one question: “What is 
the best method to use for the organization?” Based on several organizations’ case 
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studies, this question can only be answered by the organization itself. That’s because 
each organization has its own strategy of locked-down computer system environments, 
security infrastructure, and business operations needs. In other words, the virtualization 
strategy should be modeled around the organizational structure, not vice versa. The next 
chapter will describe in detail the different methods of application virtualization together 
with their benefits. 
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III. EXPLANATION OF VIRTUALIZATION COMPUTING 

THEORY 


“Virtual” is a term often used to describe something that is used to simulate 
reality. A successful virtualization occurs when the user doesn’t know that whatever is 
virtualized is not real; in other words, it’s successful when the user assumes that it’s 
reality when in fact it is not. The same definition applies to the term virtualization. In 
the information technology world an entire operating system can be installed inside a 
virtual machine, then set on opening in full screen mode. The user will never be able to 
tell that it’s a virtualized OS rather than a real operating system that is directly installed 
on the computer’s hard drive. For example, a user could be operating in a Linux 
environment that is virtualized from a Windows operating system. The details of virtual 
machines will be discussed in Chapter III. 

Virtualization is becoming one of the most popular methods for operating system, 
storage, network, and database server deployments. The benefits of virtualization include 
increased hardware utilization facilitating server consolidation, manageability through 
simplified development and testing, portability through hardware independence; and 
rapid deployment (Etter, 2007). To understand what virtualization is and how it operates, 
one must understand the basic operation architecture and process flow of a computer 
system. 

The standard components of a computer system are input, output (I/O), memory, 
and the processor, which is made of two portions: control and data-path or arithmetic 
logic unit (Smith & Nair, 2005). The memory contains the software programs that run on 
the computer system along with their required data. Physically, they are memory chips 
that plug into the computer’s motherboard. Today, memory can range anywhere from 
512 megabytes (MB) to several gigabytes (GB) and recently terabytes (TB). The 
processor, also referred to as the central processing unit (CPU), executes what are called 
instructions that are stored in memory. The control section of the CPU tells the data-path 
section what to do, such as add two numbers and store the result in a certain location in 

main memory (Smith & Nair, 2005). Processors also have a cache, which is memory 
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closer to the processor, and therefore faster than the main memory. Programs are 
generally stored on a different type of memory called the hard disk. The CPU controls 
access to the hard disk by transferring information from it to the main memory. This is a 
function of the input part of the computer (see figure 4). The output part of the computer 
is responsible for reading data from the main memory. Input and output are relative to 
the main memory, so input is data flowing to the main memory, and output is data 
flowing from the main memory. Communications to and from the processor takes time, 
which is why the cache is useful, since communication is faster (Smith & Nair, 2005). 
Figure 4 below shows a simple diagram of the computer architecture and its process flow. 



Figure 4. Computer Architecture Process Flow (Smith & Nair, 2005) 

A. BACKGROUND AND HISTORY 

Despite the fact that the virtualization concept seems modern, its origins go back 
to the early 1960s when virtual memory was introduced to mainframe computers 
(Goldworm & Skamarock, 2007). IBM was first to introduce virtual memory to the 
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computer market in the early 1970s, which changed the computing world dramatically 
(Goldworm & Skamarock, 2007). Today, virtual memory is very common in computer 
systems; it works by creating an alternate set of virtual memory addresses that 
applieations use rather than the real addresses to store instruetions and data (Smith & 
Nair, 2005). By enlarging the amount of addresses, more programs can be run 
simultaneously and efficiently. Figure 5 is an illustration of how virtual memory works 
inside a computer system. 
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Figure 5. Virtual Memory Illustration (From Smith & Nair, 2005) 
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Figure 6. Virtual Memory and the Computer Architecture (From Savur, 2007) 

After the successful widespread of virtual memory, new virtual expansions such 
as virtual machines with virtual disks and tapes that allowed system administrators to 
divide a single physical computer into any number of virtual computers were introduced 
by IBM, also in the 1970s (Goldworm & Skamarock, 2007). Today, market adoption of 
virtualization is flourishing rapidly and expected to increase. 

Early innovators used virtualization to solve resource utilization issues of 
mainframe environment. As stated earlier, this trend was started by IBM, when virtual 
machines were made standard for their mainframes. After IBM, Sun made partitioning a 
core component of the SPARC/Solaris systems (Goldworm & Skamarock, 2007). As the 
x86 servers moved to commercialization, organizations strived for better utilization, 
which is when virtualization began to emerge rapidly (Goldworm & Skamarock, 2007). 

Generally, emerging technologies go through a model with four different levels 
for adoption - innovators, early adopters, early majority, and late majority. This model 
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could be seen as a waterfall where the emerged teehnology has to cross over at each level 
in the model, but not all teehnologies have to “ride the rapids” of the waterfall to beeome 
mainstream (Lewis & Teich, 2005). In this model, the innovators are the groundbreakers 
who help to open up a new line of technology, enthusiasts willing to try new teehnologies 
and provide valuable first experienees. The early adopters are the visionaries who are 
ahead of the curve in their attitudes and behaviors and ean supply initial success stories 
(Lewis & Teich, 2005). The early majority consists of individuals who more proeess- 
oriented but are willing to invest in new technology. They tend to need references and 
guidanee to try new technologies, and want safety measures to guard against failure 
(Lewis & Teieh, 2005). Finally the late majority is eharacterized by skeptics who have a 
more negative attitude toward technology. They are extremely eautious in trying new 
technologies, and need proof points to aceept a product’s value (Lewis & Teieh, 2005). 
The adoption of virtualization ean be illustrated in this waterfall model (Figure 7). 
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Figure 7. Teehnology Innovation Waterfall (From Lewis & Teich, 2005) 
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B. VIRTUAL MACHINE CONCEPT 


“Modern computers are among the most advanced human-engineered structures, 
and they are possible only because of our ability to manage extreme complexity.” (Smith 
& Nair, 2005) The complexities of computer systems start at the hardware layer. There 
are hundreds of chips and transistors that are interconnected with high-speed input/output 
(I/O) devices and networking infrastructure to form a single platform that allows for 
different software to operate (Smith & Nair, 2005) The operating system is the second 
complexity layer in computer systems, which mainly consist of application programs, 
libraries, graphics, and networking. There are two main levels in any computer systems, 
hardware and software. The hardware level is also referred to as the lower level, which 
consists of physical components with real properties and defined interfaces. The 
software level, otherwise known as the higher level, consists of logical components with 
fewer restrictions than the lower level. To manage computer systems’ complexity, levels 
of abstraction and well-defined interfaces are commonly designed (Smith & Nair, 2005). 
Levels of abstractions are used to allow lower levels of a design to be ignored or 
simplified (Smith & Nair, 2005). This simplifies the higher-level design components. 

Well-defined interfaces allow computer design tasks to be decoupled so that 
teams of hardware and software designers can work independently (Smith & Nair, 2005). 
For example, IBM microprocessor designers can produce a chip without assistance from 
the Microsoft software designers. 

The goal of using the virtualization approach is to ensure complete isolation and 
independence between the applications and operating systems, especially on NMCI 
systems. Generally, there are three virtualization layers: applications. Operating System, 
and hardware. The following diagram provides the components of each layer. 
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Figure 8. Virtualization Layers (From Desai, 2006) 

Hardware level virtualization is also referred to as “hypervisor,” or more 
commonly, “virtual machine.” This type of virtualization utilizes the host hardware 
machine to run multiple operating systems while simultaneously sharing a single 
hardware processor (Desai, 2006). In most cases the virtual machine/hypervisor must be 
designed for single processor architecture, for example, either a PowerPC or an Intel 
Processor. The virtual hardware provides a standard unmodified OS with full networking 
and complete isolation from the hardware but with added features such as suspend and 
resume, which allows a user to suspend a running OS session then return and resume the 
original suspended session the same way it was left (Desai, 2006). 

This type of virtualization reduces costs associated with hardware because it 
allows a user to run different OS applications on their required OS using a single 
hardware system. For example, a user can run both Linux and Windows programs on the 
same host computer. The following figure shows the difference between traditional 
versus virtualized systems. 
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Before Virtualization: 

• Single OS image per machine 

• Software and hardware tightly coupled 

• Running multiple applications on same machine 
often rreafps conflict 

• Underutilized resources 

• Inflexible and costly infrastructure 


After Virtualization: 

Hardware-independence of operating 
system and applications 

Virtual machines can be provisioned to any 
system 

Can manage OS and application as a single 
unit by encapsulating them into virtual 
machines 


Figure 9. Hardware Virtualization Overview (from www.vmware.com) 

As seen in the figure above, in a virtualized hardware system, an extra layer lies 
directly after the processor, which makes it possible to distribute the hardware resources, 
such as the CPU, Memory, NIC and Disk, to two different operating systems 
simultaneously. 

C. SERVER VIRTUALIZATION 

One popular type of hardware virtualization is server level virtualization, which 
was first introduced by IBM in the early 1970s in its VM/370 models (Goldworm & 
Skamarock, 2007). VM/370 gave IBM mainframes the ability to initiate multiple 

instances of the operating systems on a single mainframe (Goldworm & Skamarock, 
2007). VM stands for Virtual Machine, a technology that was widely adopted by the 
IBM enterprise customer base for testing new hardware and operating systems as well as 
applications, which allowed users to migrate from older smaller systems onto a newer 
mainframe and consolidate with other systems and applications (Goldworm & 
Skamarock, 2007). VMware was the first company to create a new market for server 
virtualization. According to IDC research, “more than 75% of companies with more than 
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500 employees are deploying virtual servers, and more than 50% of those servers are 
running production applications.” (Goldworm & Skamarock, 2007) 

In addition to data center management efficiency and cost savings associated with 
additional server purchases, server virtualization provides considerable cost savings in 
power consumption. “According to recent surveys conducted by IT researchers, more 
than 70 percent of IT managers identify power and cooling as the biggest problem in data 
center management.” (EPA Report to Congress, July 2007) An average single server 
rack can consume more than 20 kw alone, which causes frequent power failures in most 
data centers. According to AFCOM’s Data Center Institute, power failures and limits on 
power availability will interrupt data center operations at more than 90 percent of all 
companies over the next five years (U.S. Environmental Protection Agency, 2007). 
Server virtualizations can solve this problem by allowing one server to be virtualized to 
several servers. With server virtualization a company can purchase only one server 
instead of buying a Windows, Einux, and Unix servers, and run all three operating 
systems on the same server. 

There are three different types of server virtualization: Full Virtualization, Para- 
Virtualization, and OS Partitioning (figure 10). 


Three Faces of Server Virtualization With server virtualization, a hypervisor acts as the host operating system, 
whereas guest instances of operating systems and their applications run in their own virtual machines. The result: more work out of one 
server and the capability to respond to shifting loads on the fly. 


Full Virtualization Para-Virtualization 


OS Parititioning 



The hypervisor can run virtual instances 
of several different operating systems at 
the same bme, and the virtual servers 
need rot be aware that they are running 


Here, a version of an operating system 
has been specially modified to cooperate 
with the hypervisor, offering considerable 
performance improvement. 


In this case, virtual servers are still 
isolated from one another, but they are 
all running on top of the same operating 
system, which has a hypervisor built in. 


Figure 10. Server Virtualization Types (from Etter, 2007) 
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1 . 


Full Server Virtualization 


Full virtualization is the most popular and widely used type of server 
virtualization because it uses a hypervisor to “create a layer of abstraction between virtual 
servers and the underlying hardware” (McAllister, 2007). In this case the hypervisor is 
installed directly on the hardware, therefore acting as the actual operating system. This is 
very similar to hardware level virtualization. The hypervisor controls the CPU and 
hardware access control to the computer peripherals, which tricks the operating system 
into believing that it has the resources of the entire machine under its control, when 
beneath the operating system layer the hypervisor transparently ensures that resources are 
properly and securely partitioned between different operating images and their 
applications (Crosby & Brown, 2006). This makes it possible to run any type of OS on 
the virtual server without any modifications in the system (McAllister, 2007). In simpler 
terms, the hypervisor emulates the hardware’s resources into a virtual layer that is then 
used by an operating system. Therefore, this type of virtualization is only possible given 
the right combination of hardware and software elements (Crosby & Brown, 2006). 
Today, server virtualization is not only available for servers but available for single 
desktops as well. Many commercial companies are currently in the market, such as 
Microsoft Virtual PC and VMware. 

There are several challenges to this approach; the most common is the 
interception and simulation of privileged operations, such as input/output (I/O) 
instructions (McAllister, 2007). This is a result of the fact that many contemporary 
commodity processor architectures which evolved from earlier designs did not anticipate 
virtualization and therefore are unable to support it (Crosby & Brown, 2006). For 
example, in common x86 processor structures there are instructions that are executed in 
both the user and supervisor modes, and different results can be executed depending on 
the execution mode, which can trigger several performance issues in a virtual 
environment (Crosby & Brown, 2006). 
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2 . 


Para-Virtualization 


An alternative way for aehieving server virtualization is through Para- 
Virtualization. The word “Para” is added next to virtualization beeause in this ease, the 
hypervisor is not direetly installed as the operating system but is eollaborative software 
that works elosely with the guest operating system (Crosby & Brown, 2006). This 
achieves optimal performance by minimizing overhead and supporting the use of virtual 
machines that would be underutilized in full virtualization. Technically, Para- 
Virtualization presents a software interface to virtual machines that is similar but not 
identical to that of the underlying hardware (Goldworm & Skamarock, 2007). It modifies 
the guest OS in order to redirect virtualization sensitive operations directly to the virtual 
machine monitor instead of trapping it, as is done in pure hardware virtualization 
(Goldworm & Skamarock, 2007). One of the major limitations of Para-Virtualization is 
that the guest operating system must be specifically tailored to run on top of the virtual 
machine monitor—the host program—that allows a single computer to support multiple, 
identical execution environments (McAllister, 2007). 

3. OS Partitioning 

Server OS Partitioning is different from full and Para-Virtualization in that it runs 
only one operating system that is partitioned over a hypervisor layer. In this approach, 
each operating system partition is assigned its own CPU, physical memory block, and I/O 
paths, and therefore will run its own version of the operating system (Goldworm & 
Skamarock, 2007). It is important to note that in this approach there are no shared 
resources across the different OS partitions. 

D. APPLICATION VIRTUALIZATION 

Application virtualization, also known as application service virtualization, is a 
new method that provides easy application portability. Application virtualization 
provides the ability to fully isolate the application from the client’s system; therefore, 
applications executed in a protected environment are isolated from the underlying 
hardware and software platform. Today, there are an increasing number of stakeholders 
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and methods of applications virtualization. Some of the biggest players include 
Microsoft Softgrid, Altiris SVS, Citrix Application Streaming, and Thinstall 
Virtualization Suite. Methods provided by these companies include virtualized 
executable (EXE) single file application packaging and application streaming. Some of 
the advantages of application virtualization that will be discussed in more detail in the 
next section include the ability to run applications without the need for installation 
(leading to fewer application installation conflict occurrences), less time in regression 
testing, multiple execution of application versions simultaneously, ability to run easily in 
mobile environments as well as client/server environments, better consolidation of 
technical support services, easy provisioning of applications, simple deployment of 
application upgrades, facility of application roll-back, and dynamic application delivery 
infrastructure (Schwab, 2006). Although there are many advantages for application 
virtualization, not all applications can be virtualized, which is one of the biggest 
disadvantages of application virtualization. Some of the applications that can not be 
virtualized are often applications that require the use of drivers such as VPN, printers, 
and antivirus software. Another disadvantage is the complexity in virtualizing software 
licensing that is machine specific. 

The main purpose of application virtualization is to separate application code 
from the restrictions of individual operating systems, servers, and clients. Application 
virtualization breaks down the barrier between the physical hardware, OS and the 
program that runs on top of them (Schwab, 2006). The virtualized application is 
generally provided to the user from a remote location such as a central server without the 
need to install the application on the client’s local system. However, unlike server/client 
application sharing operations, applications are not shared by multiple clients; each client 
enjoys its own fully functional application environment (Schwab, 2006). 

1. Requirements and Conditions 

There are three main conditions for an environment to qualify as an application 
virtualization environment: 
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a. 


Isolation 


The runtime environment must completely isolate the application from 
both the hardware resources as well as any programming code associated with the 
underlying operating system (Smith & Nair, 2005). This ensures that the virtualized 
program is run independently, separate from the hardware/client system. By meeting this 
condition, the virtualized program could be executed on any machine across a 
heterogeneous network. 

b. Real Time Dynamic Assembly 

The environment needs to be able to dynamically assemble applications in 
real time. This condition ensures that the virtualized program runs the same as it would 
on a traditional system (Smith & Nair, 2005), meaning the user wouldn’t be able to tell 
the difference between a virtualized versus an installed application. The virtualized 
program should run seamlessly, using the client’s machine processing power. 

c. Steady State Process Migration 

The environment must support steady state process migration. This 
requirement deals mainly with disaster recovery in an organization. In order for any type 
of virtualized environment to be better than a traditional environment, a good disaster 
recovery plan must be in place (Smith & Nair, 2005). In most traditional environments, 
whether an application data center or a server, it would be restarted in a second location. 

2. Description of Application Virtualization Types 

Today, there are several avenues available for application virtualization, three of 
which will be discussed in this report: application streaming, executable self-contained 
application packages, and web-enabled applications. There is one shared goal for these 
different avenues: deploy software without modifying the local operating system. This 
technology allows enterprises to deploy custom and licensed software across mixed 
windows and locked-down corporate desktop environments without system changes, 

installation conflicts, or impact on stability. Based on experiments and tests run during 
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this project, all three avenues made software delivery and access more fail-proof, easier, 
and cost effective. They also shortened the time to deliver application updates, because 
regression testing was reduced to hours rather than days for single applications. 

a. Application Streaming 

Application streaming works in very similar fashion to video/audio 
streaming. Generally, there is a small client based application that allows virtualized 
code to be streamed down to the user over the Internet. When a user first launches the 
application the virtualization program, i.e., SoftGrid or AppStream, streams the 
application to a user in blocks or segments. The first block is referred to as the base 
block, consisting of the main configuration files that provide the user with the most basic 
program code and configuration files that are required to start the program and allow use 
for basic functions of the program (Kennedy, 2006). More program blocks are streamed 
down to the user as the user starts using more complex program features. Generally, 
application streaming runs on a traditional web-server using Hyper Text Transfer 
Protocol (HTTP), with a Software Streaming Transfer Protocol (SSTP) running over the 
web service, for example, HTTP (Microsoft, 2006). Figure 11 below provides an 
overview of a streaming infrastructure using Microsoft SoftGrid. As shown in the 
diagram, there are several requirements that must be added to the organization’s network 
infrastructure in order for the application streaming to work. First, an additional 
management console for SoftGrid is required. The SoftGrid console is connected to a 
SoftGrid management web service layer that manages the communications between the 
organization’s active directory, SoftGrid applications and data storage server, and the 
Microsoft System Center Virtual Application server. The Microsoft system center virtual 
application distributes the windows applications that are processed by the SoftGrid 
Sequencer, which creates the SoftGrid-Enabled Applications (Microsoft, 2006). From 
there, the Microsoft System Center Virtual Application Server distributes the applications 
to the client’s desktops. 
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Figure 11. Streaming Infrastructure using Microsoft SoftGrid (From Microsoft, 2006) 

It is important to note that application virtualization through streaming is 
only available through a live Internet connection and requires a special SoftGrid Desktop 
client to be installed on the client’s system. The client then communicates with the virtual 
application server and enables streamed applications to be authenticated and streamed to 
the user. Again, this works in a very similar fashion to audio and video streaming. For 
instance, a client will not be able to view a video stream without installing the stream 
enabling software, such as RealPlayer or QuickTime. Therefore, a stream delivery 
software connection is a must requirement on the client’s system. 

Continuous live Internet connection and stream enabling software 
installation requirements have two major disadvantages: 

1. Possible Bandwidth Consumption and Connectivity Conflicts. 
Remote clients could possibly be on slow bandwidth networks or even have no network 

connection available to them, with slow performance application access or even no 
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application access. AppStream and SoftGrid addressed the bandwidth problem by only 
streaming 10% of the application to the client and by building an intelligent agent that 
predicts user application usage behavior. “As a client becomes a more sophisticated 
application user, the streaming software adjusts to stream additional segments to the 
desktop, tracking usage patterns to allow it to predict future needs based on prior user 
behavior.” (Roberts-Witt, 2001) AppStream and SoftGrid addressed the possibility of 
users having no Internet connection by adding a feature that allows administrators to set 
download rights on the streamed application. In other words, the user can choose to 
download rather than stream the application. However, this still requires an initial 
Internet connection. 

2. Streaming Client Installation Requirement. This requirement is 
often considered a challenge for most locked-down system environments. Locked-down 
environments, which will be discussed in more detail in Chapter IV, do not allow clients 
to install any software on their system. Therefore, an administrator will be required to 
manually install the software on each client’s system. Sometimes, this requirement could 
be impossible to achieve on military locked-down systems such NMCI, which don’t have 
administrators that could easily install the software. 

b. Executable (EXE) Self-Contained Packages 

Virtualized EXE self-contained application packages is a new application 
delivery virtual technology that allows a program to be compressed and packaged into a 
single EXE file that can be opened on a locked-down system with zero footprint on the 
client’s computer. This means that the program is running in full isolation mode. 

During the research, there was only one company, Thinstall, which 
provided virtualized self-contained application delivery solutions. Thinstall is a private 
company, founded in 1999, providing application virtualization solutions to many 
companies including GE, the US Department of Defense (DoD), Intuit, Qualcomm, 
Eucent, Eujifilm, Northcorp Grumman, Morgan Stanley, T-Mobile, and Toshiba 
(Thinstall, 2007). After recognizing the DoD as one of Thinstall’s customers, 
collaboration efforts were initiated with the DoD to understand how Thinstall fits in the 
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DoD locked-down system infrastructure, compatibility with NMCI, and the possibility of 
Thinstall integration within the NPS infrastructure. Based on data obtained from 
Thinstall and DoD case studies, Thinstall was considered the most viable solution for 
NPS DL students’ application delivery access, and will be discussed in more detail in 
Chapter V. 

Unlike other application virtualization methods, Thinstall’s technology is 
based on an embedded virtual operating system in each virtualized application delivered 
to the client’s system (Thinstall, 2007). The Thinstall self-contained package captures 
everything done by the program in a real system, such as call to registry and file system, 
and emulates them in its own virtual OS. Additionally, Thinstall eliminates the need for 
any additional infrastructure, such as a required agent on the client’s system. Thinstall 
virtualized applications can be deployed using most traditional management suites, such 
as Active Directory, Microsoft Systems Management Server, and even in some cases as 
shown in Figure 12, a streaming agent such as SoftGrid (Etter, 2007). Since Thinstall 
eliminates the need for any additional support system integration in the current 
infrastructure, it is much easier and simpler to employ in an organization, which gives it 
an advantage over application streaming technologies. Figure 12 below provides a 
sample infrastructure overview of Microsoft SoftGrid integration versus Thinstall. As 
shown in the figure, SoftGrid has several extra support systems and interaction links, 
such as the SoftGrid (SG) Kernel drivers, SoftGrid cache, and network interaction links 
with the SoftGrid agents, which are not needed in Thinstall. The SG cache and SG 
Kernel drivers are installed directly in the system’s storage and operating system 
respectively, which means that unlike Thinstall, SG does not operate in full isolation 
mode. Additionally, a network connection or driver is required in SG as opposed to 
Thinstall, which does not require an Internet connection for the applications to run. 
Finally, Thinstall applications can be streamed to clients using SG, which is depicted in 
Figure 12 below. 
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Microsoft SoftGrtd limits Its redirection monitoring to those virtualized processes managed 
by Its user mode and kernel mode agent components. 
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Figure 12. Microsoft SoftGrid vs. Thinstall Infrastructure Overview (From Etter, 2007) 


c. Web Based Applications 


Web-enabled application virtualization is actually a new presentation 
method for server virtualization. This is because the applications are initially installed on 
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a central server and presented over a web browser through virtualization and Java 
technologies, and therefore competes directly with thin-client technologies. There was 
only one identified company that provides this solution: GraphOn. GraphOn provides a 
solution called Go-Global that enables the extension of windows, UNIX, and Linux 
applications and desktop interfaces to the web without the need for complex code 
programming or knowledge (GraphOn, 2006). Figure 13 below illustrates an overview of 
the communication between the server and the client’s web browser. 



Session 1 
Session 2 

Htsion n 


Browser 


Display Terminal 1 
I Display Terminal 2 


T 


Figure 13. Go-Global Application Publishing in a Windows Environment (From 

GraphOn, 2006) 

The solution has several benefits; first, it gives clients the ability to access 
their applications for any location regardless of network connection speed, computer 
platform, or OS. According to GraphOn, their Go-Global solution utilizes advanced 
server based technology with “near-zero-footprint clients” to provide web-enabled 
applications that are “totally transparent” to the users (GraphOn, 2006). As shown in 
Figure 13 above, Go-Global uses a patented protocol similar to Remote Desktop Protocol 
(RDP) called Rapid X Protocol (RXP). RXP enables the programs to run fast and more 
efficient with a Local Area network (LAN) like performance over any network 
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bandwidth connection speed with the slowest being dial-up connections (GraphOn, 
2006). Additionally, since the technology utilizes the server’s processor speed, clients 
are not required to have fancy and expensive equipment. In fact, the only requirement is 
to have a valid web browser such as Internet Explorer (IE) or EireEox, with a java plug-in 
enabled. Another major benefit of Go-Global is its ability to run across any type of OS 
platform using the RXP protocol as shown in Eigure 12. The diagram below shows 
windows applications running on three different clients with three different operating 
systems, Einux, Unix/Macintosh, and Windows. 


Windows NT, Windows 2000 
or Windows 2003 Server 


Windows applications run 
on the secure central server 
along with the GO-Global 
server component 



RXP protocol transmits 
display commands and 
mouse/keyboard events 
over the network 


GO-Global thin clients display applications on 
Linux, UNIX, Windows or Macintosh desktops 


Eigure 14. Go-Global’s Ability to Run Across Different Operating Systems (Erom 

GraphOn, 2006) 
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GoGlobal could also deliver Linux/Unix applieations to windows OS 
through a web browser as shown in Figure 14. The screenshot below, a Solaris UNIX 
operating system is virtualized to a windows operating system through a Netseape 
browser. 



Figure 15. Go-Global Enabled Solaris Applieations Running on a Mierosoft Windows 

OS (From GraphOn, 2006) 


The following table eompares the features and funetions of Go Global to 
thin-elient eomputing (MS Windows Terminal Serviees) and Citrix MetaFrame 
(GraphOn, 2006). 
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Features and Functions 

GO- 

Global® 

MS 

Windows 

Terminal 

Services® 

Citrix 

MetaFrame® 

Aonlication Publishins 

Publishes Windows 
applications 

X 

X 

X 

Publishes UNIX 
applications 

X 


X 

Publishes Linux applications 

X 



Remote DisRlaf 




Publishes entire desktop 


X 

X 

Publishes single application 

X 

X 

X 

Publishes list of applications 

X 


X 

Server Requirements and 
Onration 




Requires Windows Terminal 
Services 


X 

X 

Runs separate instance of 
Windows OS for each 
session 


X 

X 

Runs multiple sessions with 
single instance of OS 

X 



Client SuBDOrt 




Windows Client 

X 

X 

X 

UNIX Client 

X 



Linux Client 

X 

X 

X 

Java Client 

X 


X 

Protocol Efficiencv 




Transmits drawing 
commands and keyboard / 
mouse events only 

X 



Transmits less efficient 
screen bitmaps (screen 
scraping) 


X 

X 

Customization Options 




Private label option to retain 
original application branding 

X 



Offers server and client 

SDKs 

X 


X 

Product bundling 

X 
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Ease of Use and Efficiency 




Easy to install, configure 
and manage 

X 



Low memory and CPU 
usage 

X 



Licensins 




Unrestricted concurrent 
licensing 

X 



Restrictive, complex 
licensing (per user / per 
device) 


X 

X 

Requires complex, multiple 
product licensing 



X 

Solution Focus 




Application-centric solution 
(fast, simple, affordable) 

X 



Restrictive solution 


X 


Complex "infrastmcture" 
solution 



X 


Table 1. GoGlobal Features Comparison to Thin-Client and Citrix MetaFrame (From 

GraphOn, 2006) 

E. ADVANTAGES OF APPLICATION VIRTUALIZATION 
I. Reduced Total Cost of Ownership 

Computer software applications have grown dramatically in complexity and cost 

over the past several years. Organizations have had to endure major challenges with the 

upward trend of total costs of ownership for software and hardware as well as IT staffing 

costs associated with hiring experienced and talented technical staff to administer and 

maintain software. The increased software costs include software licensing and control, 

while hardware costs include new equipment for software management such as 

application and license servers. According to research done by EDUCAUSE, costs 

related to technical staffing have been documented by many organizations to be more 

costly than the rising costs of software (Ringle, 2004). Through application 

virtualization, whether streaming or virtualized EXE self-contained packages, these costs 

can easily be driven down. The following sections identify these methods. 
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a. Reduction of Conventional Installation Method Costs 

Conventional installation methods, such as manual and imaging, often 
require manual external interactions with the client’s computer systems. This often 
increases the chances of deployment conflicts, which cause increased IT labor and 
resources costs. Application virtualization reduces these costs by providing IT the ability 
to manage and maintain applications from a central location (Thinstall, 2007). This also 
allows for easier remote administration, which has been proven to be easier, faster and 
cost effective. Through virtualization manual administration and desk-side visits, the 
increased costs of conventional installation methods can be eliminated. 

b. Reduction of Material Purchasing Costs 

Virtualization reduces costs associated with IT equipment purchases. For 
example, through virtualization organizations can consolidate their servers and improve 
utilization rates by combining workload from multiple underutilized physical machines 
into a single physical system. This will have a drastically improve the high overhead 
costs of cooling, storage, power, and physical administration (Mann, 2006). It also 
reduced general hardware requirements such as memory and processor speeds. 

2. Ease of Application and Security Management 

As mentioned above, the management of software applications hardware and 
licensing is very complex and increases the need for more expert IT administrators and 
support staff in an organization. Application virtualization improves management 
efficiency by facilitating and decreasing the time associated with the distribution and 
removal of applications to and from the clients systems (Mann, 2006). By employing the 
central management strategy, administrators are able to set polices, update software, 
upload new and old versions of the same software, and solve problems remotely within 
minutes. 

Application virtualization also improves security because virtualized applications 
do not require any type of installation on the client’s system. Therefore, the client’s 
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system including registry and configuration files is not affected. Moreover, this feature 
allows administrators to roll back software within minutes, since it eliminates all the steps 
required for uninstalling and reinstalling software, such as uninstalling new software 
versions, cleaning old registry files, restarting the system, and finally re-installing the old 
version. Depending on the size of the software that is being installed, this process could 
take up to an hour for either installing or un-installing, which ends up being a 2-hour 
process per machine. With virtualization, this process will only have to be done once. 
Security is also improved because administrators have more features that allows for the 
ability to easily set user access, rights, and duration of software use, which therefore 
improves the management of licenses associated with the software. Additional added 
virtualization features include software asset tracking, which provides administrators with 
software utilization and license tracking reports. 

3. Enhanced System Reliability and Scalability 

Application virtualization enhances system reliability and scalability because of 
its ability to distribute applications through different avenues, such as the web or through 
active directory profiles. According to organizational case studies on the benefits of 
application virtualization and implementation results, end-user down time cost was 
reduced by 80% (Qureshi, 2007). This is because application virtualization ensures 
business continuity by eliminating the need to shut down client system during application 
distribution and upgrades (Qureshi, 2007). With application virtualization, application 
delivery is seamless, without any interference with the clients’ systems operations. 
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IV. NPS LOCKED-DOWN SYSTEM ENVIRONMENT 


The concept of locked-down workstations started when organizations decided to 
limit users’ access to the organization’s network in order to maintain security. In a non- 
locked-down environment, users have full access to all files and folders, could install any 
applications, and have unquestioned control over settings and use. However, in a locked- 
down environment, IT organizations impose lockdown policies upon user workstations, 
which prevents any installation or change to the system. Although locked-down systems 
prevent ease of flexibility, they provide many benefits to organizations such as ease of 
maintenance, system stability, reduced administrative and maintenance costs, rapid 
updates, and security (Thinstall, 2005). 

With recent developments in operating system security such as Microsoft’s XP 
group policy management, systems administrators were able to greatly limit user access 
and control. Typically in a locked-down environment there are different access levels or 
profiles set in place. These profiles range from full access level, which is commonly 
referred to as the administrator level, to a user level, which is the least privileged level. 
Moreover, workstations in common or high-risk areas are often locked down to allow 
access to specific applications only. 

Organizations use a variety of computer lock down strategies to maintain security 
within a network. In Windows platforms there are generally three major lock-down items 
addressed: 

1. User password security settings - the strength of a password is the key to protecting 
the user’s information on a network. Password strength is measured by its 
vulnerability, meaning how easy it is for an outside to user to determine the user’s 
password. There are three general requirements that an IT administrator can impose 
on a user’s selection of a password: minimum password length, maximum password 
age, and password complexity. The minimum password length controls the number 
of characters used in a single password. Generally, the larger the length of characters, 
typically starting at 6 to 8 characters, the more secure the password will be. 
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Maximum password age is a setting that controls the amount of time for which a 
password is valid. Generally, the shorter the age the more secure the password will 
be. Most organizations require users to change passwords once every two to three 
months. Finally, password complexity generally means that the password doesn’t 
only contain alphabetic characters but also includes numbers, lower case alpha, upper 
case alpha and special characters. 

2. User logon and authentication settings - this is a setting that hides the user’s account 
name to appear after the user logs out of the system. Generally, in-home computer 
users can see their account names at the login screen where they can click on their 
account name, then type the appropriate password if one was set. In organizations 
this feature is usually disabled so the user has to type in their username and password, 
which makes it difficult for an attacker (www.microsoft.com). 

3. User rights security settings - this feature controls the rights of a user account on a 
computer, which is essential to the security of client computers and servers. There 
are many different privileges that can be configured for a user, including read, write, 
and backup. Generally, there are different titles for the different levels of users’ 
privileges: administrator group with full access to the computer/server, power users, 
general users, and many others. 

A. BACKGROUND INFORMATION 

NFS has a typical locked-down domain environment that is maintained by the 
ITACS department. The domain environment is called the Education Research Network 
(ERN) has been recently updated from the military network (.mil), which puts NFS in a 
different un-classified environment. The update was necessary at NFS because the .mil 
domain didn’t allow for the flexibility required in a research and academic institution 
setting. However, the .mil network is still an active internal network at NFS. The ERN 
network utilizes the same .mil physical infrastructure, but with private IF space within 
virtual local area networks (VEAN) to separate the two internal networks, ERN and .mil 
(ITACS-NOC, 2007). Client access to the NFS domains is controlled by the Microsoft 
active directory. There are currently two access levels, user level access and domain 
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administrator access. The user access level is assigned to students, faculty, and staff, 
while the domain administrator access is assigned to ITACS personnel. Domain 
administrators have full access to the NFS systems such as software installations and 
access to the active directory structure. Users, however, are not allowed to change any of 
the systems settings. 

The active directory maintains the management of user accounts. Currently, 
when there is a new student, faculty, or staff member, their account is created within the 
Python system, a database system administered by ITACS and operated by the Student 
Services Department. Each new account created includes an exchange mailbox. 
Distance Learning student accounts are also created within Python by the registrar office; 
however, only select distance learning students are given email accounts. Account 
expiration dates are linked to the users’ common access card (CAC) expiration date. The 
passwords associated with the ERN accounts have four password security restrictions: 
enforced password history, which keeps track of old password and recognizes an old 
password and stops the user from using the same password again; maximum password 
age; minimum password age; and, minimum password length. Eor security purposes, the 
parameters of these enforced policies will not be included in this report. 

B. NMCILOCKED-DOWN ENVIRONMENT 

The DoD has different locked-down system levels such as the Navy Marine Corps 
Intranet (NMCI) system used within the US and ONE-NET used overseas by the Navy. 
NMCI is a comprehensive, enterprise-wide initiative that makes a full range of network- 
based information services available to sailors and Marines for day-to-day activities. As 
of March 2006, NMCI included some 290,000 computers, making it the largest internal 
computer network in the world (EDS, 2006). The following figure (Eigure 16) provides a 
high-level overview of the NMCI network. 
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Figure 16. High-Level View of the NMCI Enterprise Domain(s) (From Raytheon, 2005) 


NMCI dictates who is authorized to manage what information as well as where 
and how that information maybe stored, handled, and distributed. Many commercial 
hardware and software products do not function without modifications and/or special 
procedures, or present vulnerabilities that must be mitigated before the products are 
allowed to be used in NMCI (Raytheon, 2005). To ensure that only certified items are 

installed, NMCI does not allow end-users the ability to independently install software 
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onto their desktops. Therefore, all applications must be packaged and certified for use in 
an NMCI environment (Raytheon, 2005). In order for software to be certified for use, it 
must be submitted for testing and security assurance to Electronic Data Systems (EDS), 
the owner of the NMCI program, and once it’s certified EDS creates the software 
package to be pushed out to clients (Raytheon, 2005). 

C. SOFTWARE DELIVERY IN LOCKED DOWN ENVIORNMENTS 

As discussed in Chapter I, there are several methods of software delivery that are 
exercised by different organizations. The method chosen depends on the size and 
mission of the organization. Generally, large organizations use the imaging method to 
perform wide scale software installation and to maintain duplicate client system settings 
throughout the organizational network. 

1. NFS Current Software Delivery Methods 

NFS has been utilizing the imaging method for several years. There are several 
system images that are maintained by the Academic Client Services department with 
ITACS. All of the images reside on a server that can only be accessed by domain 
administrators. These images are updated on a semi-quarterly basis depending on the 
availability of required updates, and patches and the request of any additional software by 
the various curriculum departments. The updated images are typically deployed during 
the quarter breaks, which are during the spring, summer, and winter breaks. If additional 
software is required after the images have been deployed, then manual installation is 
performed on the systems requested, which could range from one system to a full 
computer lab. 

2. NFS Distance Learning Current Software Delivery Methods 

The Office of Continuous Learning (OCL) at NFS maintains DL programs. 
Based on the curriculum and the software requested for the DL class, the instructor is in 
charge of acquiring the software, which must be in a CD media format, and providing it 
to OCL. Once OCL has the software CD, copies are generated for the students in the 
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class. Typically, there are anywhere between 10 to 20 students enrolled in a DL class, 
and each student could be stationed anywhere in the world. OCL is in charge of mailing 
the CDs to the students and ensuring that the students have received the software. Also, 
depending on the size of the software, OCL will sometimes post the software for 
download on the DL class Blackboard site. 

a. NFS Distance Learning Challenges 

OCL has several challenges with their current software delivery approach. 
First, the process is very lengthy. OCL has to ensure that each copy of the software is 
working before it is sent out, and must also ensure that each CD has the correct labels. 
Second, it is hard to maintain the integrity of license issues because of last minute 
enrollments. For example, if 15 licenses were purchased for the software and a student 
decides to enroll a day before the start of the class, OCL will have to figure out a way to 
purchase an additional license and deliver the software to the student. Finally, 
determining delivery times to out-of-country students is very challenging. 

b. DL Student Challenges 

The current OCL process is also very challenging for the DL student. 
First, many DL students are using NMCI locked-down systems and therefore cannot 
install and access the software. Second, out-of-country students often have problems 
receiving the software on time. Third and finally, students generally have different 
operating systems as well as hardware levels that are often not compatible with the 
software delivered. 
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V. PROPOSED NPS DL APPLICATION DELIVERY METHOD 


NPS has a complex network infrastructure and has tight security requirements. 
Therefore, any proposed solution has to be compatible with the current infrastructure. 
Additionally, since the proposed method is targeted for NPS DL application delivery, the 
method has to be reconcilable with other Navy system infrastructures such as NMCI. 
This chapter will describe the current NPS infrastructure including the current resources 
available to DL students, and how the proposed method could be easily implemented 
within the current NPS infrastructure. 

A. CURRENT NPS NETWORK ACCESS AND INFRASTRUCTURE FOR 

DISTANCE LEARNING STUDENTS 

As mentioned earlier, DL students are assigned ERN access accounts through the 
Python system. Until recently, DL students did not have access to the Python system, 
which was a challenge for most students. In efforts to address this problem, the ITACS 
department created a new system called The Citrix Farm (CitrixERN). CitrixERN 
provides remote access to server-based applications such as DORS, PARIS, Matlab, 
Python and Student check-in. It also provides a secure platform from which these and 
additional applications are delivered. These applications can be custom or productivity 
applications such as Office (Network Operations Center, 2007). However, departments 
have yet to utilize the capabilities provided by this new system. 

I. NPS Citrix Network Infrastructure 

The CitrixERN system has similar access levels to the NPS main ERN system, 
user and administrative. The user level access provided to the DE students is an 
enterprise account that only allows access to the applications on the Citrix Farm, to which 
the student’s account has access. Once the student account is authenticated, the student is 
presented with a web page of the assigned application icons. Similar to on-campus 
students, Citrix Farm application access rights for DE students are managed through 
group membership in the Microsoft Active Directory (Network Operations Center, 2007). 
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For example, if the student is a member of the Matlab users group then the student will 
see a Matlab application icon. Figure 17 below provides an overview of the network 
infrastructure for the NFS Citrix access infrastructure. 



https;//voyager.nps.edu from Internet 
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Figure 17. NFS Citrix System Overview Diagram (From Network Operations Center, 

2007) 
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As shown in the figure above, aeeess to the CitrixERN is available through the 
Internet using a seeure HTTP protoeol (HTTPS) using port 443 through the two seeure 
gateways in the DMZ to the web interfaee running on one or more of the Citrix 
Presentation servers in the Intranet (Network Operations Center, 2007). After the 
authentieation proeess, aetual addresses of the Presentation servers are not sent to the 
student, and everything within the HTTPS connection is I28bit ICA encrypted (Network 
Operations Center, 2007). Students can access CitrixERN by simply entering 
https ://vovager.nps .edu in a web browser window then gain authentication through the 
server by using their ERN assigned username and password. The CitrixERN system 
consists of two Citrix Secure Gateways and five Citrix Presentation servers, which 
provide redundant secure connection and application engines only; therefore, no user data 
is stored on these systems (Network Operations Center, 2007). The users’ data along 
with the application data is stored on the production file servers, while the data backup 
and recovery capability as well as data server failover capabilities are provided by the 
production servers (Network Operations Center, 2007). It is important to note that any 
data stored on this system has to be considered as sensitive unclassified (Network 
Operations Center, 2007). 

2. Blackboard System 

Blackboard is a web-enabled, database-driven educational collaborative system, 
which is very popular among educational institutions. The system enables course 
instructors to develop their courses in an organized password protected environment and 
provides asynchronous and synchronous communication tools for collaborative work. 
Blackboard systems are targeted for both on-campus and off-campus students. It 
enhances student-to-student and student-to-faculty communications through tools such as 
discussion boards, chatrooms, and e-mails. The Blackboard discussion boards are very 
similar to online forums, which give students the ability to post and view each other’s 
notes, ideas, or questions. Blackboard can be accessed through any web browser and is 
typically configured for each educational institute with a specific website address. Eor 
example, the NPS Blackboard site is located at https://nps.blackboard.com . Generally, a 
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typical Blackboard online course webpage includes sub-pages for elass announeements, 
eourse information, faculty information, course doeuments, assignments, eommunieation 
tools, external links, and other tools. Figure 18 provides a sereenshot of some of the tools 
available to the students. These pages are ereated from templates that are provided to the 
elass instruetor. The instruetor may ehoose to add or remove sub pages or some of the 
tools shown in figure 18 below. 



Figure 18. Blackboard Online Class Tools Page Screenshot 

As mentioned earlier. Blackboard can be accessed via a web browser by accessing 
the NPS Blackboard site. Similar to the Citrix Voyager page, the Blackboard page is 
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available for public access, which means that the student doesn’t have to authenticate 
through VPN first in order to gain access to Blackboard. The authentication process is 
also similar to Citrix; however, the password does not have to be identical to the student’s 
ERN account password. Students are enrolled automatically in Blackboard through 
Python, assuming that the class uses Blackboard. As shown in Figure 19 below, once the 
student is successfully authenticated in the system, a homepage will be displayed, which 
includes the student’s registered classes, including announcements, calendar, and tools. 
The instructors have a similar homepage but will have additional privileges such as 
access to add or remove student access to the Blackboard webpage. Students have the 
ability to modify their page by adding or removing classes or adding additional tools. 
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Figure 19. Blackboard Homepage Screenshot 

Currently, Blackboard is used as a material delivery and in some cases as an 
application delivery portal for both on-campus and DF students. However, there is a size 
limit for application uploads to the Blackboard server, meaning that large applications 
could not be uploaded on Blackboard for student access. Moreover, DF students who 
only have computer access through NMCI networks do not have privileges to install any 
applications if provided on the Blackboard site. Therefore, application delivery through 
Blackboard has not been considered as an option for solving the application delivery 
dilemma at NFS. 
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B. PROPOSED VIRTUALIZED APPLICATION DELIVERY METHOD 

Based on the NPS network infrastructure analysis and DL challenges with locked- 
down system environments such as NMCI, a Thinstall self-contained virtualized 
applications package is the most optimal method and therefore highly recommended for 
implementation. As mentioned earlier, the two main priorities for DL application 
delivery in NPS are security and full isolation. Thinstall will fulfill these priorities along 
with other additional benefits. According to the Pentagon in Washington, DC, employing 
Thinstall technologies allowed for increased application and desktop security by 
eliminating installation, faster and easier application deployment to locked-down 
systems, elimination of installation conflicts that previously ran as high as 20%, 
decreased regression testing time by 70%, and consistent, flawless end user experience 
(Thinstall, 2007). The fact that Thinstall ran flawlessly in the Pentagon makes Thinstall 
an even more attractive solution for DL application delivery at NPS. 

1. Thinstall Virtualized Self-Contained Packages in Locked-Down 
Systems 

The idea of self-contained packages was created by Thinstall to address several 
issues including desktop security; downtime and support costs; increased application 
deployment and management costs; higher security requirements, reducing infrastructure 
costs by centralizing IT; migration to XP, Vista, and .NET; and, business continuity and 
disaster recovery (Thinstall, 2007). As mentioned in previous chapters, Thinstall is a 
client-less application virtualization solution that allows any windows application to be 
packaged, distributed, and executed as a single EXE on a client PC without installation or 
changes to the local desktop’s registry and file system (Thinstall, 2007). 

Eocked-down systems such as NMCI are very limiting to organizations that need 
to deploy custom business applications. Thinstall was able to provide an application 
virtualization solution that allows applications to be easily deployed to locked-down 
systems, updated, centrally managed, and delivered faster than traditional methods 
(Thinstall, 2005). Virtualized applications through Thinstall are able to run on locked- 
down systems because of their ability to run entirely in user mode with no device drivers 
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installation required, therefore making it virtually impossible to harm or crash the client’s 
system (Kennedy, 2007). Because of Thinstall’s full isolation benefits, applications are 
able to run without risk of damaging the client’s OS. Therefore, users benefit by 
experiencing normal application behavior and the system allows administrators to 
maintain a secure, clean, and stable user desktop environment. Unlike the other 
virtualization methods described in chapter II, Thinstall does not require any pre-installed 
software on the client or the hosting server. The applications can be distributed to the 
clients in a variety of ways such as Desktop, LAN, WAN, USB Flash device, and Internet 
using the existing organizational infrastructure (Thinstall, 2007). 

The key security driver that allows Thinstall applications to run on locked-down 
systems is its ability to create its own virtual registry (VREG). In a Windows 
environment registry there is a directory that stores settings and options for the operating 
system, which include hardware, software, and user settings. Registry keys values are 
changed or added every time there is a new modification in the system such as a new 
software installation or update. There are many malicious programs that cause security 
damage to an organization because of their ability to change key values, or create new 
ones, to ensure that their code runs automatically and therefore can have an adverse effect 
on legitimate programs (Yu, Guo, Nanda, Lam, & Chiueh, 2006). As shown in Figure 18 
below, the Thinstall VREG allows virtual registry keys to transparently merge with real 
system registry by making prepackaged registry keys appear as though they have been 
installed into the system registry without actually making any real system changes 
(Thinstall, 2005). 
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Figure 20. Thinstall Virtual Registry Module (From Thinstall, 2005) 

As shown above, the Thinstall virtual registry module technology virtualizes 
application registry keys and makes them available for Thinstall applications. This is 
achieved through the Thinstall packaging process, which will be discussed in more detail 
in Chapter VI. 

2. Integration with Current Infrastructure 

The proposed architecture plan for Thinstall integration is not a restructuring but 
simply an addition of Thinstall software packages to the current architecture. One of the 
prime features of Thinstall is its ability to integrate with Citrix MetaFrame Presentation 
Servers. As mentioned earlier, NPS has invested in Citrix technologies to provide 
outside network access to some of the NPS internal resources such as Python and Matlab. 
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Because of Thinstall’s unique VREG technology several applications including several 
versions of the same applications can be run and installed on a single Citrix presentation 
server, where this would have not been possible with traditional software installation 
methods (Thinstall-LockedDownDesktops_V10ct05.pdf). As discussed earlier, this is 
possible because each application is packaged with its own set of registry and 
configuration files. 

Although Thinstall virtualized applications can be delivered in a variety of ways, 
one method could simply be sending them to DL students using removable media 
devices, or even by simply placing a link to the application on a webpage. For NFS, the 
integration must be compatible with the current automated process, and this could be 
successfully achieved using the NFS Citrix Farm infrastructure. The Citrix MetaFrame 
Fresentation Server includes a portal that allows users to authenticate to the network. As 
described earlier, NFS has this feature available by allowing valid NFS ERN user 
accounts to authenticate to the internal network resources using this portal. Figure 21 
below provides a screen shot of the NFS Citrix MetaFrame Fresentation Server portal 
login screen. 
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Figure 21. NFS Citrix Portal 

As shown above, once the user is successfully authenticated, the login window 
changes to an Applications window. The portal requires a Citrix ICA client to be 
installed on the client’s system. This will not be a problem with NMCI locked-down 
systems, since the Citrix ICA client is part of the NMCI core build and therefore 
available on all NMCI locked-down machines. If the Citrix ICA client is not installed on 
the user’s workstation, a message in the Message Center area will be displayed stating 
that a free Citrix client must be installed and indicating where the user can download the 
client. 

There are two proposed avenues for integrating Thinstall applications with Citrix: 
by running the Thinstall applications straight from the Citrix Presentation Server or by 
allowing users to run the Thinstall applications directly from their PCs. A company 
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called PQR has successfully implemented both methods. PQR is a company based in 
The Netherlands, and was founded in 1990 (Virtuall, 2007). The company provides 
virtualization solutions and one of their main showcases is a portal called VIRTUALL, 
which is a Citrix Presentation Frame Server portal that provides a showcase for a variety 
of virtualization solutions including Citrix, SoftGrid, Thinstall, and PowerFuse Desktop. 
VIRTUALL provides the showcase using the same Citrix Presentation Server portal used 
by NPS. Figure 22 below is a screen shot of the application delivery virtualization 
solutions available on the VIRTUALL portal. 
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Figure 22. Thinstall Integration with Citrix Methods 
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As shown in Figure 22 above, Thinstall applications were integrated with the 
Citrix Presentation Server and published on the Citrix Portal using two methods shown in 
two different folders. The first folder is titled “Thinstall applications running on Citrix 
Presentation Server,” which has virtualized applications using Thinstall that are saved on 
the Citrix Presentation Server and can be run directly from there. The second folder is 
titled “Thinstall applications running on YOUR PC,” which includes Thinstall virtualized 
applications that can be run directly from the client’s PC. There are pros and cons to both 
methods. The first method provides different clients with different OS platforms the 
ability to run Thinstall applications using a web browser and a free Citrix ICA client. For 
example, an Apple OS user can simply open any of the virtualized Windows applications 
in the first folder, and the Citrix ICA client will start and provide him/her with a 
virtualized windows interface with the application running. It is important to note that 
for this method to work, the user has to be constantly connected to the Internet. 
Therefore, if the Internet connection suddenly goes down, the user will loose connection 
and any unsaved data, which is one of the major disadvantages of using this approach. It 
is also important to note that by running the Thinstall applications directly from the Citrix 
Presentation Server, the user is using the server’s processing speed, which is an 
advantage to this approach. Nonetheless, by using the second approach, the user has the 
flexibility to simply download the Thinstall virtualized application to the desktop and 
then run the virtualized application natively. Therefore, constant Internet connection is 
not required and the application runs as if it is installed directly on the client’s system. 
When the Thinstall virtualized application is run natively on the client’s system, the client 
system’s processing speed is used, which could be viewed as either an advantage or a 
disadvantage depending on the client’s computer system’s specifications. However, the 
biggest disadvantage to this approach is its incompatibility of running license-relied 
applications. This means running applications that require communication and 
authentication with a license server in the organization’s network. The only feasible way 
for a licensed server application to run natively on a client’s system is if the client’s 
system is inside the network, and since Thinstall can capture the communication with the 
license server and can package it within the virtualized single self-contained EXE 
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application file, it should not present a problem within the network but will present a 
problem if used outside of the network. Therefore, any NFS applications with license 
server communication needs are not recommended for DL application delivery using 
Thinstall. 

Currently, NFS virtualizes an engineering software application called Matlab, 
using one of the five Citrix Fresentation Servers available. All of the five Citrix 
Fresentation Servers are currently at capacity. This is because all of the applications that 
are currently virtualized using the Citrix Fresentation Server were installed using the 
direct manual approach, which utilizes most of the disk space available on the servers. 
However, more space could be saved and spared for other applications by first 
virtualizing the applications using Thinstall then publishing them directly on the Citrix 
Fresentation Server. According to Thinstall, “Thinstalling an application can reduce the 
storage footprint of an application by more than 40%.” (Thinstall, 2007) Therefore, it is 
recommended that NFS combine virtualization techniques using Thinstall. This could be 
accomplished by creating two new folders in the NFS applications Citrix Fortal, similar 
to what is shown in Figure 22 above. The first folder will consist of the applications that 
require communication with a licensed server which can be packaged using Thinstall, 
then may be saved directly on the Citrix Fresentation Server. The second folder will 
contain all of the applications that do not require licensed server communications needs 
and therefore can be saved or run directly from the client’s system. 

This proposed method will also be seamlessly integrated with the current NFS 
Microsoft Active Directory settings, so virtualized applications can be assigned to 
specified DL student groups within the active directory in a very similar fashion to 
Matlab’s current setup. For example, if a DL student is enrolled in a DL engineering 
program or class then he/she will be part of the DL engineering group that only consists 
of the Thinstall virtualized engineering applications. 
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VI. SELF-CONTAINED APPLICATION VIRTUALIZATION 

THROUGH THINSTALL 


Thinstall is a new application virtualization delivery technology that uses virtual 
machine technology similar to VMWare and VirtualPC. Unlike VMWare and VirtualPC, 
Thinstall acts as the layer between the application and the OS as shown in Figure 23 
below, rather than emulating hardware FO instructions with an entirely new virtualized 
machine (Thinstall, 2005). Additionally, the Thinstall virtual machine technology 
requires much less memory than traditional virtual machines. This chapter will discuss 
the technology process of Thinstall as well as compatibility tests and results with NMCI 
locked-down systems. 


Virtual Files 


Virtual Files System Registry Filesystem 


* * t ♦ 



Operating System 


Figure 23. The Thinstall Virtual Machine (From Thinstall, 2007) 


A. TECHNOLOGY PROCESS 

The Thinstall application deployment process is very similar to the typical 
software deployment process except that its technology process-more specifically the 
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loading process—is very different from the typical software loading process. Figure 22 
below provides an overview of the Thinstall deployment process. 


Thinstall fits into how software is typically deployed 
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Figure 24. Thinstall Deployment Process Overview (Thinstall, 2007) 
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As shown Figure 24 the first step is choosing the software to be packaged. The 
software could be either commercial or custom in-house software. The second step is to 
package the software using the Thinstall packaging program. After the software is 
packaged, QA tests should be performed to ensure elimination of application execution 
conflicts. The third step is to distribute the packaged application. As mentioned earlier, 
distribution can be achieved using the organization’s current deployment infrastructure 
through web-servers, network drives, Microsoft Active Directory, etc. Finally, the end 
user can access the virtualized packaged application using any of the methods described 
earlier. 

Thinstall applications perform as typical applications because they operate on 
binary data such as DLLs, EXEs, registry information, and datafiles (Thinstall, 2005). 
Therefore, Thinstall applications can be deployed and executed without installation. 
Thinstall uses a different virtualization technique that packages an application into a 
single EXE self-contained file that runs on the client’s system instantly with complete 
isolation from the client’s system. The technology of Thinstall is driven by a small 
lightweight Virtual Operating System (VOS) component that is embedded with each 
Thinstall-packaged application (Thinstall, 2007). Eigure 25 below provides an overview 
of what is contained in a Thinstall packaged EXE application. As shown in the figure 
below, the Thinstall virtualized application package contains registry access, file access, 
and DEE/EXE configuration loading files, which are all transferred to a virtual registry 
layer, then to a virtual registry file. 
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Figure 25. Technology Behind Thinstall Packaged Applications (From 

www.thinstall.com) 

The Thinstall VOS loads both the application process and the DLL dependencies. 
The VOS loads the application process by starting the EXE file from the Virtual Eile 
System (VES), which is a compressed file system that is transparently joined to the real 
file system at runtime (ThinstallTechnicalOverview_V2Apr06.pdf). According to the 
Thinstall’s technical overview document, the VES remains embedded in the initial EXE 
distribution package without extracting to the disks, and it is only visible to the 
application running under the Virtual Machine (Thinstall, 2007). In a Thinstall 
application package, a virtual file is no different from a normal file, except it does not 
exist on the hard drive. This is successfully achieved because Thinstall makes it appear 
as though all virtual files have been extracted and installed on the hard drive (Thinstall, 
2007). The VOS also loads any DEE dependencies directly from the packaged archive 
when requested (Thinstall, 2007). 
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1 . 


Application Packaging 


Thinstall provides a very simple Setup Capture program, which takes two 
snapshots of a test machine. The first snapshot is a recorded scan of all the Windows 
files including registry, DLL, and configuration files. Therefore, it is recommended that 
the test machine have a new or “fresh” window OS installed, which is usually referred to 
as a clean system. The second snapshot is taken after the target software is installed. The 
Thinstall Setup Capture then compares the two snapshots and generates a self-contained 
virtual EXE directly from the changes that occurred between the first and second 
snapshots (Thinstall, 2007). Eigure 24 provides a screenshot of the Thinstall capture 
screen. 



Eigure 26. Screenshot of Thinstall’s Capturing Process 

The captured files for each installed software is stored in a directory-based structure 
(Eigure 27) that allows for easy browsing, search, editing, and modification using 
standard file system tools like Explorer and Windows Search, so they could be easily 
transferred to different servers for network shares and backed up normally (Thinstall, 
2007). 
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Figure 27. Screenshot of Thinstall’s captured file structure and build process 
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The Thinstall self-contained virtual EXE packaging is processed in three stages. 
Eirst is the link stage where Thinstall compresses all of the application files, supporting 
runtime files, any required registry settings and a copy of the Thinstall Virtual Machine, 
then creates a new virtual machine that has the same icon as the original application 
(Thinstall, 2007). Second is the load stage where Thinstall decompresses the first EXE or 
DEE file into memory (Thinstall, 2007). The third and final is the run time environment, 
which is where the program is executed normally by performing the required operations 
that are required by the software (Thinstall, 2007) 

2. Application Management 

As discussed earlier in Chapter V, Thinstall packages can be directly tied to 
specified account groups using Microsoft Active Directory. Therefore, unauthorized 
users cannot execute Thinstalled applications even if they’re copied (Thinstall, 2007). 
Thinstall application management through the Microsoft Active Directory also allows for 
easy addition and removal of users from groups. This is done from a central location 
without the need for modification and updates of individual packages that have been 
previously deployed (Thinstall, 2007). 

3. Application Upgrades and Licensing 

One of the significant benefits of Thinstall is its ability to allow for application 
upgrades and version rollbacks. Thinstall achieves this through its upgrade mechanism 
that allows administrators to deploy application upgrades even while the older application 
versions are still in use (Thinstall, 2007). This process will be discussed in more detail in 
Section B of this chapter. Application patches can also be achieved by capturing the 
patches either during the Thinstall capture process or by applying them inside the virtual 
environment (Thinstall, 2007). 

Application licensing through Thinstall posed some challenges during the testing 
phase. As stated earlier in Chapter V, it is not recommended to virtualize applications 
that require communications with a licensed server for DE students to run directly from 
their systems. This is because DE students will not have access to the NFS internal 
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networks, and therefore the virtualized application will fail when it cannot communicate 
with the licensing server. Therefore, using Thinstall for these types of applications is 
only feasible by combining virtualization methods with the Citrix Presentation Server. 
However, applications that only require an embedded license key are fully compatible 
with Thinstall virtualization packaging and will provide users the ability to run the 
applications straight from their desktops. 

4. Operating System and Software Compatibility 

Thinstall supports 32bit and 64bit platforms including Windows NT (32-bit), 
2000, 2000 Server, XP, XPE, 2003 Server, and Vista. Thinstall does not support any 
16bit or non-Intel platforms such as Windows CE (Thinstall, 2007). Thinstall can also 
run 16/32bit applications on a 64bit OS, but it does not currently support 64bit native 
applications. As for software, all software applications that are typically deployed using 
traditional installation technologies are compatible for packaging using Thinstall. This 
includes applications requiring installation of kernel-mode device drivers, products such 
as anti-virus and personal firewalls, scanner drivers and printer drivers, and some VPN 
clients (Thinstall, 2007). Additionally, Thinstall virtualized applications can interact with 
other applications installed on the client’s system in the same typical manner in which 
desktop components interact with each other. This includes cut & paste, for example 
pasting from a System installed application to a Thinstalled application; access to 
printers, for example a Thinstalled application has full normal access to any printer 
installed on the client’s PC; various system drivers; access to local disks, removable 
disks, and network shares such as access to the fixed ‘c:\’ drive, a removable USB flash 
drive, or a network mapped drive; access to the system registry if permitted by client’s 
system access permission; and finally access to networking and sockets, for example a 
virtualized EireEox Internet browser can have full normal access to networking 
functionality (Thinstall, 2007). 
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B. SOFTWARE TESTING 


Thinstall Virtualization Suite was tested under new “fresh” installs of both 
Windows XP Professional and Windows Vista Business using two test machines. 
Initially, the process seemed fairly straightforward. The installation process of the 
Thinstall Virtualization Suite was small and quick. Then the Thinstall capture utility was 
used to create a test software package. As mentioned earlier, the capture procedure 
involves before and after installation snapshots of the operating system’s file structures 
and registry database. After the capture process was over, the Thinstall program 
provided a mock image of the captured changes enclosed in a series of system disk 
folders, editable configuration files, and a batch file. The batch file is used to launch the 
final build process, which compresses all of the captured files in a single executable EXE 
file. This process seemed very simple until it was time to package additional test 
software. The challenge faced involved the need to start with a new “fresh” install of the 
Windows system. Installing Windows could take hours and therefore the process seemed 
very complex and lengthy. This section will discuss the methods used to address this 
challenge as well as the test packaging results. 

1. Methods 

To address the challenge of using a new clean Windows install every time 
targeted software is packaged, a VMWare Server was used to maintain a clean image of 
Windows. Using VMWare allowed Windows to be installed into a virtual machine 
once.VMWare then took a snapshot of the entire machine in its clean state with no 
applications installed, and was set to start Windows into this state every time the virtual 
system was restarted. By using the VMWare server, applications were easily installed, 
captured and packaged on a “clean” Windows system with no conflicts. The following 
are the steps used to achieve this process: 

1. A free VMWare server was installed in complete setup type. 

2. Windows XP Professional was then installed using 10GB of disk space with a 
bridged networking setting enabled. 
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3. After Windows was successfully installed, the system was started and the 
Thinstall Virtualization Suite was installed. 

4. After successfully installing the Thinstall Virtualization Suite, the system was 
shut down and the VMWare advanced settings for the virtual Windows hard 
drive was set to “Independent-Nonpersistent.” This is the most crucial step, 
since it allows the virtual machine to revert back to the “clean” state each time 
it is powered off. 

As mentioned earlier, after the Thinstall capture process a batch file is produced 
to initiate the final build process (Figure 27), which is the second stage process in the 
Thinstall software packaging process. The reason there is a two-stage process—capture 
and build—is to allow administrators to customize the software’s captured configuration 
files to address different scenarios. For instance, most software programs are very 
sensitive to the number of licenses assigned. Given the ability to edit configuration files, 
an administrator can edit the configuration file and set the software to expire after a 
specific duration of time. This mechanism was achieved while packaging an NFS copy 
of the Adobe Illustrator software. After the packaging process, an INF file was edited to 
using a VB Script code to set the software to expire after three days. Typically, in a 
network environment application, control access could easily be done through the 
Microsoft Active Directory; however, this could not be achieved for the NFS DL students 
since some of the applications will be used off-line. 

2. Summary of Testing Results 

During the testing phase, five applications were successfully packaged and built 
using the Thinstall Virtualization Software. The five applications tested are RealFlayer, 
Engineering Equation Software (EES), MathTypeb, GoogleEarth, and Microsoft Visio 
2007. The applications were installed and packaged on the virtualized Windows XF 
environment using VMWare server, then uploaded to a private Web server for access and 
testing using NMCI systems. Below is a screenshot of the uploaded packaged 
applications on the private web-server. 
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Figure 28. Successfully packaged applications uploaded on a private web-server 

A selected group of NFS and NMCI users were chosen to test the software. Both 
groups were able to successfully run the virtualized packaged applications with no 
conflicts. Additionally, users from both groups had the option of either running the 
software directly from the given website or saving the virtualized applications to their 
desktops as shown in Figure 29 below. 
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Figure 29. Running Thinstall Applications from a Website 
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VII. CONCLUSION 


A. PROJECT SUMMARY 

Maximizing the efficiency of data centers and providing high-availability 
computing services to organizations means increasing performance while minimizing 
costs and reducing power requirements. Various mechanisms can help the NPS ITACS 
Department to accomplish these goals, but one that is rapidly increasing in popularity is 
application delivery through virtualization. By using virtualization technologies such as 
Thinstall, NPS can potentially consolidate their Citrix Presentation Servers and provide 
additional space for virtualized software. The benefits that could potentially be 
experienced by using the recommended virtualization approach are numerous for both 
NPS and the NPS DL students. 

1. Return on Investment and Benefits 

Thinstall has the ability to integrate seamlessly with the current NPS 
infrastructure for several reasons. First, Thinstall allows for the elimination of required 
installations from the clients’ end, which leads to the elimination of application conflicts 
occurrences. Second, the need for multiple regression testing will be eliminated. Third, 
multiple versions of the same application can be used simultaneously on the same Citrix 
Server, therefore eliminating the need for additional Citrix servers. Fourth, applications 
are easily provisioned and updated by IT administrators. Fifth, applications and user data 
can be run from removable media if needed. And finally, Thinstall does not have a 
required architecture; therefore, it could be easily integrated with the NPS infrastructure 
(Spruijt, 2007). According to tests and ratings done by several technology journals 
including INFOWORLD, Thinstall received a rating of 8 based on a scale of 10. This 
rating was received based on Thinstall’s overall manageability, scalability, ease of use, 
setup, and value (Kennedy, 2007) 

By investing in the proposed method, NPS could fully utilize their investment in 
the five Citrix Presentation Servers by consolidating more space to host Thinstall 
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virtualized applications. NPS would be able to provide applications that require licensed 
communications with an internal server and general applications using Thinstall. 
Moreover, DL students will have the flexibility to run any of those applications on any 
system whether it is an NMCI locked-down system or a home computer system. 

B. RECOMMENDATIONS FOR FUTURE RESEARCH 

Based on the numerous benefits of Thinstall application virtualization and its 
successful implementation in the DoD, consideration should be given to implement this 
technology for NPS campus-wide use. Testing of application deployment using Thinstall 
virtualization at one of the NPS Learning Resource Center (LRC) labs could be used to 
determine with absolute certainty if virtualization solutions are in fact feasible for on- 
campus NPS use. 
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